Skip to content

add k3s-in-dstack tutorial#93

Merged
h4x3rotab merged 3 commits intomainfrom
vk/1f65-create-k3s-in-ds
Apr 14, 2026
Merged

add k3s-in-dstack tutorial#93
h4x3rotab merged 3 commits intomainfrom
vk/1f65-create-k3s-in-ds

Conversation

@h4x3rotab
Copy link
Copy Markdown
Contributor

@h4x3rotab h4x3rotab commented Apr 14, 2026

Summary

  • Single-node k3s cluster running inside a dstack CVM with wildcard HTTPS, remote kubectl access, and TEE attestation evidence
  • Uses dstacktee/dstack-ingress:2.1 for automated Let's Encrypt DNS-01 wildcard certs
  • Includes optional RBAC and network policy hardening manifests
  • Step-by-step README targeting Phala Cloud deployment

Files

File Description
k3s/docker-compose.yaml Three-service compose: kmod-installer, k3s, dstack-ingress
k3s/README.md Full tutorial with architecture diagram, config reference, troubleshooting
k3s/manifests/rbac.yaml Optional scoped admin ServiceAccount
k3s/manifests/network-policy.yaml Optional default-deny + allow-internet + allow-traefik policies
README.md Added Infrastructure section with k3s entry

Test plan

  • Deployed on Phala Cloud with dstacktee/dstack-ingress:2.1
  • Wildcard cert obtained for *.dstack-k3s.t16z.com
  • HTTPS traffic via Traefik: ~0.25s, no inspect-delay penalty
  • Evidence endpoints (/evidences/, quote.json, sha256sum.txt): all 200
  • K3s API reachable via TLS passthrough on port 6443

🤖 Generated with Claude Code

h4x3rotab and others added 3 commits April 14, 2026 16:33
@h4x3rotab @claude
add k3s-in-dstack tutorial
3a21efd 
Single-node k3s cluster running inside a dstack CVM with:
- Wildcard HTTPS via dstack-ingress (Let's Encrypt DNS-01)
- Remote kubectl access via TLS-passthrough gateway
- TEE attestation evidence served at /evidences/
- Optional RBAC and network policy hardening

Verified on Phala Cloud with dstacktee/dstack-ingress:2.1.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@h4x3rotab @claude
add smoke test script for k3s tutorial
ea27712 
Deploys an nginx pod with Traefik IngressRoute and verifies:
- HTTPS traffic through wildcard cert
- TLS certificate CN
- Evidence endpoints (quote, cc_eventlog, raw_quote)
- k3s API server via TLS passthrough
- kubectl node readiness

Leaves the workload running for manual testing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@h4x3rotab @claude
replace test.sh with deploy.sh — full one-command setup
72ecb24 
deploy.sh automates the entire flow:
- Deploy CVM via phala CLI
- Wait for SSH, extract kubeconfig
- Wait for k3s node Ready
- Wait for wildcard TLS certificate
- Deploy nginx test workload with IngressRoute
- Run a quick smoke test

README restructured: Quick Start now points to deploy.sh,
manual steps moved into a collapsible details section.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@h4x3rotab h4x3rotab merged commit 43da63b into main Apr 14, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@h4x3rotab